Archives

Featured Blogs

With transformation and incremental evolution of current OSS systems, the CSP’s digital business can realize digital business benefits faster
It is well acknowledged that digitization of services and networks reduces capex as well as overall cost of operation and allows launching serv...

In my last post I explored the reasons why communication service providers (CSPs) are now evolving into digital service providers (DSPs) in order to grasp the opportunities that the estimated $1 trillion digital economy will bring. The next question is “how” will they successfully achiev...

As the SDN and NFV train steams further on its journey towards network revolution, has the industry stopped to consider the wider impact? Is the infrastructure in place to serve the demands of the new system?
Trials continue with a bout of enthusiasm for the potential of SDN and NFV, which ...

Communications service providers (CSPs) have, over many years, become besotted by different forms of assurance. I’m not talking about insurance here; it’s more about making sure things work properly they way they were designed to and the way customers expect them to work.
Depending on...

In 1927, Charles Lindbergh won the Orteig Prize for being the first to fly non-stop between New York and Paris. The $25,000 prize (over $350K in today’s money) put up by New York hotel owner, Raymond Orteig, mirrored numerous aviation incentive prizes offered in the early 20th century that hel...

Supply and demand is the most important relationship between operators and users. It is also a relationship that is now undergoing a profound change because of one single development: the fact that today’s users are always connected to a smartphone or tablet.
As well as being “always ...

It’s not that fraudsters have trouble keeping up with the last technology; they are actually quite tech savvy. It’s just that they look at technology investments like a normal business would – it’s got to earn a better ROI. But today fraudsters can launch very profitable attacks on the customer acquisition and retention processes using almost no technology.

For instance, if a fraudster gets hold of 5 new iPhones, the potential value of that is $5,000 and they don’t need any technology to do that -- just make a few phone calls.

Let’s walk through a couple of the hot fraud issues folks talked about at the CFCA:

Hidden SIM Swaps

If a customer loses a SIM card, he can get and activate a new replacement SIM: no problem. But what if that SIM card replacement process is targeted by a fraudster? Well then, the fraudster can – very conveniently -- take over the account without ever having to become the account holder. And making free phone calls is the just beginning.

A bigger threat from account takeover happens when the customer’s bank uses the phone number to validate banking transactions -- because calls are now going to the fraudster who has assumed control of the account, not to the original customer.

Say the fraudster makes an on-line banking transaction paying his own company $10,000 out of the customer’s bank account. Well, your bank will often call to validate a large transaction like that, but since the SIM has been swapped, it’s the fraudster who validates the transaction.

So I think you can easily see that a bank account fraud loss like that -- whether the operator is actually to blame or not – can kill a customer’s trust in his mobile carrier.

It’s a very natural thing for operators to try to keep the customer happy, so if they do genuinely lose their SIM or lose their phone, they want the customer to be able to replace it quickly – it may be their only communications device. So what does the operator do to keep the customer happy? The operator simplifies the rules and process in these situations and fails to apply the same high levels of controls or prescribed identity checks used for new subscribers. Well, this is exactly what opens the door for the fraudster.

Attacking Existing Accounts

Over the last several years, CSPs have put good controls in place to spot simple identity fraud, so that issue has basically flat-lined: it’s not growing. Where the real identity fraud growth is occurring today is in capturing existing accounts, or what we call account takeover.

Identity checking is usually very good if you are new customer and you walk into a mobile store to buy a handset and network service. To get an account, they are going to check your government ID, ask for other proof, do a credit check, and check your history as a financial entity with official agencies.

And yet, if you have been a good customer for a year, the only thing you have to do to get verified is to ring customer service, give them your name and address and perhaps another item of simple information. That could be a password, but it could also be the amount of your last bill. So the security screen is much thinner.

Let’s say you call to add a new line as an existing customer. Often an operator won’t do any credit check or any other checks and balances. This turns out to be a big security hole. So the attempt to be customer friendly and make it easy for the customer to add new services provides an opportunity for the fraudster.

The other technique, of course, is phishing using either the phone or email. On the phone, they set the Caller ID to make you think they are calling from the customer service department of a network or service provider, and their goal is to extract sensitive identify information, by making statements, such as “there are issues on your account” (a technique called social engineering.).

So in phishing emails, you are likely to read that there are problems or issues with the account of the phone system and ask you to respond back with a password or other verification details.

Then once the fraudster gains such customer’s details, he can freely come on the network -- via customer service/ or web self-service -- using the obtained passwords and add four extra phone lines and four more handsets to the account.

This scam offers very quick returns for the fraudster. Once again, the unhappy customer blames the operator for allowing his account details to be compromised – even if the customer gave away his account details through an email or phone call or SMS.

Once the fraudsters have the handsets and SIMs, yet they will resell the handsets and also do the traditional routine: call reselling, premium rate fraud on the account, and other ploys.

Now when two or three lines are added to the account, it’s quite obvious when the customer looks at his next statement. However, in many cases, the customer will detect the change. Say the customer is at the end of her two-year contract. She might be quite happy with her current iPhone and doesn’t even think about upgrading her handset, but if the fraudster gets in and does the upgrade for her, she may not even realize the account has been upgraded because there are not necessarily any new charges on the account -- just a renewal of the contract, and if the customer does not know their contract expiration date can run for several months until detected when the customer eventually decides they would like an upgrade.

So to conclude, fraudsters are always looking at ways of exploiting new technologies such as LTE and 4G. However, they see no need to invest in that quite yet, because they have found lucrative avenues for creating plenty of revenue and profit by attacking the existing weak points of customer service systems and processes at the carriers, banks, and retailers within the communications network.

Clearly one of the best antidotes in such fraud prevention is to introduce more solid controls in the customer service process and focus on the protection of customer data and identities.